Penetration Testing – Supplier Selection Criteria Defined

Penetration testing is an essential business investment; it enables you to find vulnerabilities in your internet-facing resources, providing you with the knowledge of which holes to patch up before attackers exploit them.

I recently interviewed one of IT Governance’s senior penetration testers, Geraint Williams, on how IT Governance maintains its reputation as a provider of high quality penetration testing services. This interview has been inspired by the most frequently asked questions by clients, who want to ensure they are using the right pen testing supplier.

1. What professional accreditation does IT Governance hold and what qualifications do the testers hold?

IT Governance is a CREST Approved Company. This means that we have been verified as meeting the rigorous standards mandated by CREST. Our Testers have qualifications such as:

  • CREST Registered Tester
  • EC-Council CEH (Certified Ethical Hacker)
  • CSTA (Certified Security Testing Association)
  • CSTP (Certified Security Testing Professional).

All our penetration testers are information security professionals (and will have CISSP, CISM, CISA, ISO27001 Lead Implementer, Lead Auditor or other security qualifications) and also have two or more years’ experience

2. Is there a formal code of conduct you adhere to which is overseen by an independent industry body?

Yes, we work to CREST code of conduct, plus testers work to code of conducts from the certification bodies such as CREST, (ISC)2 & EC-Council.

3. How do you ensure that your penetrations tests simulate a wide range of attacks?

Our test methodology is based on proven industry standards and we use a wide range of tools in combination of automated and manual scanning. In addition our testers undertake continuous professional development and research to ensure we stay up to date with the latest methodologies and attacks that are being deployed.

4. Do you have a proven testing methodology that is tailored for particular types of environment (eg infrastructure, web applications, mobile computing)?  

We offer a range of tests for different environments. However a key part in our processes is capturing client’s requirements and scoping the environment and the corresponding testing correctly in order to ensure we meet the client’s requirements.

5. Do you carry out specially tailored, manual tests to detect vulnerabilities or do you use a set of standard automated tools?

We use a combination of automated scanning, often with customised profiles and manual scanning to detect vulnerabilities

6. How important is research and development when it comes to being able to identify all significant vulnerabilities?

It’s very important to conduct research and development; our testers undertake continuous professional development including research to ensure we stay up to date with the latest methodologies and vulnerabilities. Our Testers are also encouraged to attend conferences and publish papers. I myself have published papers in international journals and have attended many conferences.

7. How do you ensure that results of tests are generated, reported, stored, communicated and destroyed in a manner that does not put the organisation at risk?

IT Governance is an ISO9001 and ISO27001 accredited organisations and as such we take Information security very seriously and have in place robust procedures to ensure client’s data is protected. We are audited against these procedures on a regular basis.

If you’d like to book a Penetration Testing service, or to discuss your requirements,  please call IT Governance now on 0845 070 1750 or email the pen testing team at